Sunday, January 24, 2016

This week a Ukrainian hacker made famous for attempting to frame security journalist Brian Krebs by sending him heroin purchased on the Silk Road, had his day in court and chose to plead guilty. Krebs blogged about his arrest in Italy in 2014 with the title The Fly Has Been Swatted, but now that a guilty plea has been entered, we can see the details of the case.

In June 2013, a U.S. Secret Service agent swore out a criminal complaint against Vovnenko for crimes he committed against citizens in New Jersey. Although we refer to "Federal Crimes" in most cyber crimes, charges can only be brought for damages local to the U.S. Attorney's office where the prosecution makes the charges.

From 2003 until 2013, the complaint states, SERGEY VOVNENKO, AKA Centurion, AKA Flycracker, AKA Flyck, AKA MUXACC1, AKA Stranier, ran various scams related to carding. In a specific instance, cards were stolen "on or about" March 14, 2011 from a victim in Rutherford, NJ, violating Title 18 Section 371 of the Federal Code. Many of the early attacks used SQL Injection to gain access to target computers that were accessible via the web and had access to databases of personally identifiable information and credit card data. Vovnenko in particular advertised "dumps" services using both his Twitter account and an ICQ account.

Between 2009 and 2011, Vovnenko managed to plant malware on computers at "Victim 1" which is described as a "global financial institution with millions of customer accounts" that "maintaned signficant infrastrucutre in New Jersey, including computer servers housing banking information located in New Jersey."

Vovnenko was an old-school carder. He originally sold his dumps on the Shadowcrew website, which was shut down in 2004 by the U.S. Secret Service. (This site is where Vovnenko began chatting with now infamous Data Breach king Albert Gonzalez.) In 2008, Vovnenko used ICQ to chat with Vladislav Horohorin, the hacker known as "BadB." BadB was sentenced to 88 months for trafficking in stolen cards and for his role in the $9M theft from Atlanta-based RBS WorldPay. By 2010, Vovnenko was actively selling as "Centurion" on CardingWorld, Mazafaka, and Verified.ru.

Our complaintant testifies that on or about March 16, 201, Vovnenko chatted with another criminal who asked him to review his logs from his botnet to see whether he had IP addresses indicating that some of his bots were in the NJ-based Financial Institution known as "Victim 1" in the court documents. He did, and was asked to plant an executable on that computer to give his co-conspirator remote control to the computer. (We've heard about this type of "log selling", where a "commodity botnet infection" leads to targeted attacks at specific institutions before. See my blog post about the Fox-IT/Group-IB "Anunak" report, "Botnets, APTS, and Malicious Emails")

A "Zeus Logs" seller offers 240MB of logs for $300-$400 ...

A Criminal Complaint is only intended to show Probable Cause to open an investigation. It does not require the same level of details as an Indictment, which charges the accused of committing specific criminal acts.

The Indictment came in April of 2014 ...

The Indictment adds additional aliases (Tomas Rimkis, Darklife) and specific charges. We'll focus on Charge One and Three, which are the ones he pleaded guilty to this week.

Count One: Wire Fraud Conspiracy (18 u.s.c.§1349)
From September 2010 to August 2012, VOVNENKO and his co-conspirators "operated an international criminal organization that hacked into the computers of individual users and of companies in the United States and elsewhere, and used that access to steal data, including, among other things, user names and passwords for bank accounts and other online services, as well as debit and credit card nubmers and related personal identifying information. After stealing the Log-In Credentials and Payment Card Data, defendant VOVNENKO and his co-conspirators used that information to illegally access and withdraw money from bank accounts and to incur unauthorized charges using the payment card data." They also sold the data using online forums to individuals and groups that in turn did other illegal things with the data.

The indictment states that VOVNENKO had a botnet of "over 13,000 computers infected with malware" and that several of the infected computers were in New Jersey. At least part of the malware was the "Zeus" malware that specializes in stealing banking information and recording keystrokes of users. At least one employee (known as "J. H." in the indictment) of the Victim 1 bank had his workstation infected and from that base, the botnet was able to contact and interact with computers located inside financial institutions. Counts Three through Six of the indictment refer to the specific acts of logging in to J.H.'s computer "in related to felony violations

18 U.S.C.§1349 and 18 U.S.C.§1030(a)(2)(C) and (c)(2)(B)(i)

By December of 2015, Vovnenko and his lawyers knew he was going to be found guilty on all charges, no ifs, ands, or buts. They agreed to a plea agreement where Vovnenko took the rap for Count One and Count Three, agreeing that he could face a sentence of 20 years imprisonment and $250,000 fine. Because he also faced the charge of Aggravated Identity Theft, there is an additional two year mandatory minimum sentence that cannot run concurrently with any other sentence. Further, VOVNENKO understood that he may be required to pay restitution, and will likely be deported after his sentence is served.

Sentencing in this case is set to May 2, 2016. At that time, a Money Judgement will also be made regarding the amount of Restitution that may be required.